cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

performing a manual iPXE boot (eXR password/disaster recovery)

681
Views
5
Helpful
5
Comments

CCO documentation lists out the ability to do a password recovery for eXR with a ZTP/PXE boot.

One can also perform the operation manually, like a "turboboot" for classic XR in this facinity.

this procedure will wipe out the complete system and install a fresh copy on the system exactly similar as what

one is used to from a turboboot with tftp (yuk:) download from rommon.

 

with this procedure one can use a remote file repository from http for instance, or still tftp, but this can also be on an inserted usb stick.

 

here is how to do it:

reload the system and wait for this prompt:

 

BIOS Ver: 09.19 Date: 11/02/2015 17:02:33

Press <DEL> or <ESC> to enter boot manager.

Screen Shot 2016-03-15 at 20.49.45.png

 

Select the otpion for the build in UFI shell:

iPXE> ifstat
net0: 00:a0:c9:00:00:00 using i350-b on PCI01:00.0 (closed)
  [Link:up, TX:0 TXE:0 RX:0 RXE:0]
net1: 00:a0:c9:00:00:01 using i350-b on PCI01:00.1 (closed)
  [Link:up, TX:0 TXE:0 RX:0 RXE:0]
net2: 00:a0:c9:00:00:02 using i350-b on PCI01:00.2 (closed)
  [Link:down, TX:0 TXE:0 RX:0 RXE:0]
  [Link status: Down (http://ipxe.org/38086193)]
net3: 00:a0:c9:00:00:03 using i350-b on PCI01:00.3 (closed)
  [Link:down, TX:0 TXE:0 RX:0 RXE:0]
  [Link status: Down (http://ipxe.org/38086193)]
net4: 00:00:00:00:00:04 using dh8900cc on PCI02:00.1 (closed)
  [Link:down, TX:0 TXE:0 RX:0 RXE:0]
  [Link status: Down (http://ipxe.org/38086193)]
net5: 00:00:00:00:00:05 using dh8900cc on PCI02:00.2 (closed)
  [Link:down, TX:0 TXE:0 RX:0 RXE:0]
  [Link status: Down (http://ipxe.org/38086193)]
net6: 04:62:73:08:57:86 using dh8900cc on PCI02:00.3 (closed)
  [Link:up, TX:0 TXE:0 RX:0 RXE:0]

iPXE> set net6/ip 3.0.1.100
iPXE> set net6/netmask 255.0.0.0
iPXE> set net6/gateway 3.0.0.1
iPXE>
iPXE> ifopen net6

iPXE> ping 3.0.0.1
64 bytes from 3.0.0.1: seq=1
64 bytes from 3.0.0.1: seq=2
Finished: Operation canceled (http://ipxe.org/0b072095)

iPXE> boot http://3.0.0.1/633/ncs5500-mini-x.iso-6.3.3
http://3.0.0.1/663/ncs5500-mini-x.iso-6.3.3... ok

 that is it!!

 

for multi RP systems it is important, like classic xr, that the standby rp is held in rommon/bios and not attempting to boot.

 

------

Xander Thuijs CCIE #6775

Distinguished Engineer IOS-XR ASR9000/NCS5500

 

 

 

 

Comments
Cisco Employee

1. As you mentioned in the boot statement:  boot http://3.0.0.1/633/ncs5500-mini-x.iso-6.3.3 , here we have the option HTTP, wanted to confirm, can we boot the router by using TFTP? 

 

2. In the ifstat we are getting the 7 net interfaces 0 to 6, how we can identify that on which interface we have to configure the IP address? In the above example net0, net1, and net6 status are up, however, you have selected net6.

Cisco Employee

With the modern golden ISO file sizes it is impossible to boot system with TFTP. Reason for this TFTP protocol internals - within single file transfer TFTP can transmit up to 65535 chunks. For example your TFTP server support Jumbo MTU and TFTP will be able to pack single chunk in 9000 bytes UDP packet, simple math shows that theoretical maximum here is about 560Mb. Which is about slightly less then 1/3 part of Golden ISO.

So, the answer here - use HTTP to download golden iso and boot system.

There is a trick - if you don't have access to local network with available HTTP server. Almost any modern laptop with python installed can be turned into private and static HTTP server (tested on MacOSX):

  1. download XR installation TAR file
  2. unpack it into separate folder in my example Downloads/NCS5500-iosxr-k9-6.5.3
  3. run your preferred terminal application and change path into prepared folder "cd Downloads/NCS5500-iosxr-k9-6.5.3"
  4. start static and simple HTTP server "python -m SimpleHTTPServer 8080"
  5. go back to iPXE shell 
    • get DHCP address  "iPXE> dhcp"
    • verify connectivity between router and your laptop "iPXE> ping <your-laptop-ip>"
    • start boot process "iPXE> boot http://<your-laptop-ip>:8080/ncs5500-mini-x-6.5.3.iso"
  6. once system is re-imaged you still can use your laptop server to transfer rest of the packages
  7. when you finished with the node recovery/installation - just hit Ctrl-C in the window running python SimpleHTTPServer

 

 

Cisco Employee

Hi azarecha,

Thank you for your updates, however in my one case I had rebooted the router by using TFTP instead of HTTP.

Below are logs,

 

iPXE> ifstat
net0: 00:00:01:1c:00:00 using i350-b on PCI01:00.0 (closed)
[Link:up, TX:10 TXE:0 RX:22 RXE:22]
[RXE: 22 x "The socket is not connected (http://ipxe.org/380f6093)"]
net1: 00:00:01:1c:00:00 using i350-b on PCI01:00.1 (closed)
[Link:up, TX:10 TXE:0 RX:28 RXE:28]
[RXE: 28 x "The socket is not connected (http://ipxe.org/380f6093)"]
net2: 00:a0:c9:00:00:02 using i350-b on PCI01:00.2 (closed)
[Link:down, TX:0 TXE:0 RX:0 RXE:0]
[Link status: Down (http://ipxe.org/38086193)]
net3: 00:a0:c9:00:00:03 using i350-b on PCI01:00.3 (closed)
[Link:down, TX:0 TXE:0 RX:0 RXE:0]
[Link status: Down (http://ipxe.org/38086193)]
net4: 00:00:00:00:00:04 using dh8900cc on PCI02:00.1 (closed)
[Link:down, TX:0 TXE:0 RX:0 RXE:0]
[Link status: Down (http://ipxe.org/38086193)]
net5: 00:00:00:00:00:05 using dh8900cc on PCI02:00.2 (closed)
[Link:down, TX:0 TXE:0 RX:0 RXE:0]
[Link status: Down (http://ipxe.org/38086193)]
net6: 5c:5a:c7:11:68:62 using dh8900cc on PCI02:00.3 (open)
[Link:up, TX:10 TXE:0 RX:260 RXE:151]
[RXE: 107 x "Operation not supported (http://ipxe.org/3c086083)"]
[RXE: 38 x "Error 0x440e6083 (http://ipxe.org/440e6083)"]
[RXE: 6 x "The socket is not connected (http://ipxe.org/380f6093)"]

 

iPXE> set net6/ip 10.7.7.48
iPXE> set net6/netmask 255.255.255.0
iPXE> set net6/gateway 10.7.7.1

iPXE> boot tftp://10.7.8.76/ncs5500-mini-x-6.5.3.iso
tftp://10.7.8.76/ncs5500-mini-x-6.5.3.iso... 0%  0%  1%  1%  2%  2%  2%  3%  3%  4%  4%  5%  5%  5%  6%  6%  7%  7%  8%  8%  8%  9%  9%  10%  10%  10%  11%  11%  12%  12%  13%  13%  13%  14%  14%  15%  15%  16%  16%  16%  17%  17%  18%  18%  18%  19%  19%  20%  20%  20%  21%  21%  21%  22%  22%  23%  23%  23%  24%  24%  25%  25%  26%  26%  26%  27%  27%  28%  28%  28%  29%  29%  30%  30%  30%  31%  31%  32%  32%  33%  33%  33%  34%  34%  35%  35%  35%  36%  36%  37%  37%  38%  38%  38%  39%  39%  40%  40%  41%  41%  41%  42%  42%  43%  43%  43%  44%  44%  44%  44%  45%  45%  46%  46%  46%  46%  47%  47%  47%  48%  48%  48%  49%  49%  50%  50%  50%  51%  51%  52%  52%  52%  53%  53%  54%  54%  55%  55%  55%  56%  56%  57%  57%  58%  58%  58%  59%  59%  60%  60%  61%  61%  61%  62%  62%  63%  63%  63%  64%  64%  65%  65%  66%  66%  66%  67%  67%  68%  68%  68%  69%  69%  70%  70%  71%  71%  71%  72%  72%  73%  73%  73%  74%  74%  75%  75%  76%  76%  76%  77%  77%  78%  78%  79%  79%  79%  80%  80%  81%  81%  81%  82%  82%  83%  83%  84%  84%  84%  85%  85%  86%  86%  87%  87%  87%  88%  88%  89%  89%  90%  90%  90%  91%  91%  92%  92%  92%  93%  93%  94%  94%  95%  95%  95%  96%  96%  97%  97%  98%  98%  98%  99%  99%  ok
Memory required for image[ncs5500-mini-x-6.5.3.iso]: 1417299968, available: 2079309824

Image verified sucessfully. Booting...
Booting iso-image@0x5eb85b000(1417299968), bzImage@0x5eb897000(6114366)
**** PASS: secure boot verification of image: bzImage****
[ 0.594564] Allocating netns hash table
Expanding ISO image

 

User Access Verification

 

 

Username: root

 

Password:

RP/0/RP1/CPU0:ios#sh ver

 

Wed May 13 08:19:36.253 UTC


Cisco IOS XR Software, Version 6.5.3

 

Cisco Employee

Hi pradeshi,

Can you please share which TFTPd protocol server was used here? I'm aware only about two TFTPd servers allowing to serve the chunks greater available MTU:

  • TFTPd32/TFTPd64
  • tftpd-hpa

Regards,

Andrii

Cisco Employee

Hi Andrii,

 

tftp-hpa 5.2, with remap, with tcpwrappers running on Ubuntu 16.04.6 LTS was used.

 

Regards,

Pradeep Shinde

Content for Community-Ad